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METHOD FOR CIRCUIT RECOVERY FROM OVERSTRESS CONDITIONS 

Field of the Invention 

The present invention relates to a method and/or 
architecture for implementing microcontrollers and systems that 
execute firmware generally and, more particularly, to a method 
and/or architecture for recovery from circuit stress conditions in 
a microcontroller. 

Background of the Invention 

Conventional approaches to robust operation in the 
presence of severe environmental stresses include specifying high 
device immunity to stress conditions. While elecrostatic discharge 
(ESD) immunity levels are typically specified for all parts, they 
do not provide robust operation in the presence of all stress 
conditions. ESD tests normally provide immunity for powered off 
conditions (i.e., protection during handling), and as a natural 
consequence, provide protection during some operation stresses 
(i.e., over/under voltages or currents). However, the trip level 
of ESD protection may not prevent other modes of failure that occur 
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at lower levels. For example, an ESD protection circuit may trip 
at 8V overstress on the pin of a 5V part. However, the ESD 
protection circuit will not trip for a 7V overstress that allows a 
hazardous noise glitch. Additional devices are implemented to 
increase noise immunity (i.e., adding bypass capacitors to relevant 
signals) that have associated cost and space penalties. 

Other conventional approaches include watchdog reset 
circuits to reset a device that is no longer in the normal 
operating mode. Watchdog reset circuits can allow recovery from a 
fault condition caused by an overstress. Watchdog reset circuits 
are effective in cases of significant failure that places the 
device in a recognized fault mode. Such resets occur when program 
code is vectored to an illegal location, which causes code 
execution to halt until the watchdog reset occurs. 

However, a stress condition can cause faulty operation 
that is not recognizable by the watchdog reset device. For 
example, a device can vector to an unintended part of code, 
resulting in faulty operation. The device can continue to operate 
within legal parts of the code and is unable to detect that a 
problem has occurred. In another example, corruption of memory 
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(i.e., RAM) that occurs during an event is undetected and causes 
failure at another event. 

Summary of the Invention 

The present invention concerns a method for circuit 
recovery from overstress conditions, comprising the steps of (A) 
detecting an event and (B) resetting a device when the event is a 
first predetermined type and providing recovery when the event is 
a second predetermined type . 

The objects, features and advantages of the present 
invention include providing a method and/or architecture for 
implementing microcontrollers and systems that execute firmware to 
provide recovery from stress conditions that may (i) detect 
over-stresses to increase the robustness of device operation, (ii) 
implement a device that may either directly reset itself or monitor 
itself and take appropriate recovery action when stress conditions 
occur, (iii) provide flexibility in response to stress conditions, 

(iv) call for a quick and complete reset after stress conditions, 

(v) perform self checking, issue warnings, perform back-up 
operations, shut-down, or other recovery steps before or in place 
of a full reset in response to a predetermined criteria, (vi) 



0325.00497 
CD01089 

register and monitor stress conditions, and/or (vii) allow a device 
to take any appropriate action when stress conditions are 
occurring. 

Brief Description of the Drawings 

These and other objects, features and advantages of the 
present invention will be apparent from the following detailed 
description and the appended claims and drawings in which: 

FIGS. 1 (a-b) are flow charts illustrating preferred 
embodiments of the present invention; 

FIG. 2 is a block diagram illustrating an exemplary 
implementation of the present invention; 

FIGS. 3 (a-c) are block diagrams of overvoltage detect 

circuit; 

FIG. 4 is a block diagram of an undervoltage detect 

circuit; 

FIG. 5 is a block diagram of a short pulse detect circuit 
implemented in connection with the present invention; 

FIG. 6 is a block diagram of an overvoltage detect 
circuit with a differential amplifier; and 
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FIG. 7 is a block diagram of a high current detect 

circuit . 

Detailed Description of the Preferred Embodiments 

Referring to FIGS, la and lb, a block diagram of a 
process (or method) 100 is shown in accordance with a preferred 
embodiment of the present invention. The process 100 may allow 
recovery from circuit stress conditions (or events) that may cause 
a device to stop operating properly. In particular, the process 
100 may apply to microcontrollers and systems that execute firmware 
to provide recovery from overstress conditions (to be described in 
connection with FIG. 2) . Stress conditions include those covered 
by industry standard tests for electrostatic discharge (ESD) , 
electrical fast transient /burst (EFTB) , radiated EMI, and operation 
in severe environments where significant noise coupling may occur 
and upset the operation of an electronic device. The process 10 0 
may allow devices to detect stress events and take appropriate 
action (e.g., initiating a reset or recovery routine) to recover 
from possible undesirable effects. The circuit 100 may also be 
configured to detect and recover from an undesired voltage drop in 
a system (e.g., grounding of a power line) . Such a fault condition 
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typically causes large current to flow in the system, resulting in 
detectable differences between two points in a supply (e.g., a 
ground signal or a power signal) . 

FIG. la illustrates the process 100 comprising a state 
102, a state 104, a state 106 and a state 108. While in the state 
102, the process 100 may detect fault causing conditions (e.g., a 
fault causing event may occur) . The process 100 may then continue 
to the state 104. While in the state 104, the process 100 may 
store the event. In one example, the event may be stored in a 
register (not shown) . The process 100 may then proceed to the 
state 106. While in the state 106, the process 100 may read an 
event detector (e.g., an event table) to determine a type of event. 
The process 100 may read the event detector (or table) as part of 
a continuous monitoring process. The process 100 may then continue 
to the state 108. While in the state 108, the process 100 may take 
appropriate action (e.g., a particular action in response to a 
particular event type) . For example, one case of an event may call 
for a quick and complete reset after stress events, while another 
case of an event may perform self checking, issue warnings, perform 
back-up operations, shut-down, or other recovery steps may be 
implemented before or in place of a full reset. 
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The process 100 may detect (e.g., the state 102) and 
store (e.g., the state 104) the occurrence of an overstress 
condition. The process 100 may allow events that cause faulty 
operation to be detected, that would otherwise go undetected. The 
process 100 may then provide fault operation recovery. The process 
100 may detect and recover from stress events as well as provide 
fault operation detection. For example, the process 100 may detect 
an overstress event and store the fault causing event occurrence 
for later action. The fault causing event may then be recognized 
and appropriate action may be taken for device recovery. 

FIG. lb illustrates another preferred embodiment 100 7 of 
the present invention. At the state 102, the process 100' may 
detect a fault causing event. The process 7 may then proceed to a 
state 110. At the state 110, the process 100 7 may perform a direct 
device reset. The process 100 7 may be less flexible than the 
process 100. However, the process 100 7 may be applicable when 
monitoring for fault conditions is not available (e.g., no system 
processor) , or where fault conditions are generally known to need 
a device reset (e.g., other prior responses are not needed). 

Referring to FIG. 2, a system (or a circuit) 2 00 is shown 
illustrating an exemplary implementation of the present invention. 
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The circuit 200 generally comprises a stress detection circuit 202 
and a monitoring circuit 204. In one example, the monitoring 
circuit 2 04 may be implemented as a processor. In another example, 
the monitoring circuit 2 04 may be implemented as a microcontroller 
or other processing device. The microcontroller 2 04 may implement 
the states 102, 104 and 106 of FIG. la. 

Detection of over/under-voltage typically occurs on an 
input pin. Over/under-voltages may result from ESD events, or 
other transient events generally tested for by the EFTB test. For 
example, in the EFTB test, a fast, high voltage transient is 
coupled onto either a power line or device cables of a tested 
system. Such events provide a variety of possibilities for failure 
in a device. Determining the exact subsequent corruption or 
failure with certainty is generally difficult. The process 100 may 
register the presence of such an event and respond by taking 
appropriate action. 

Referring to FIGS. 3 (a-c) , a circuit (or system) 300 for 
detecting over-voltages in a typical CMOS process (e.g., excursions 
beyond a positive supply) is shown. However, other processes may 
be implemented accordingly to meet the design criteria of a 
particular implementation. FIG. 3a illustrates the circuit 300 
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comprising a pad circuit 302, a pad 304 a resistance block 306, a 
transistor 308, a resistance block 310 and a register 312. The 
resistance block 3 06 may have a predetermined resistance value 
(e.g., RLIMIT) . The resistance block 310 may have a predetermined 
resistance value (e.g., RLOAD) . While the transistor 308 is shown 
as a PMOS device, an NMOS device may be implemented with an 
appropriate adjustment to the signal before being presented to the 
gate of the transistor 308 (to be discussed in more detail in 
connection with FIG. 4) . 

The pad circuit 302 may be coupled to the pad 304. The 
pad 3 04 may be coupled to an external device (not shown) . The pad 
304 may also be coupled to a first side of the resistance block 
(RLIMIT) 306. A second side of the resistance block (RLIMIT) 306 
may be coupled to a source of the transistor 308. A gate of the 
transistor 308 may be coupled to a power supply (e.g., VCC) . A 
drain of the transistor 3 08 may be coupled to a first side of the 
resistance block (RLOAD) 310. A second side of the resistance 
block (RLOAD) 310 may be coupled to ground. The resistance block 
(RLOAD) 310 may also be coupled to the register 312. The register 
312 may be clocked by the resistance circuit (RLOAD) 310. The 
register 312 may be configured to generate (and/or store) a signal 
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(e.g., EVENT_OVER) . The signal EVENT_OVER may be configured as a 
fault causing event signal. In one example, the signal EVENT_OVER 
may be configured as an over-voltage event signal. 

The transistor 308 may remain OFF until a voltage of the 
pad 304 rises above the VCC voltage. When the pad voltage is 
approximately a PMOS threshold above VCC, current may flow in the 
from the pad, through the transistor 3 08 to ground. The resistance 
block (RLOAD) 310 may be implemented to develop a voltage from the 
current. In one example, the resistance block (RLOAD) 310 may be 
implemented as a single resistor or combination of resistors. In 
another example, the resistance block (RLOAD) 310 may be 
implemented as an inductor configured to generate a voltage pulse 
in response to a current pulse. The resistance block (RLOAD) 310 
may then provide a pulse to trigger the event detect register 312. 
The output EVENT_OVER of the register 312 may then be available for 
monitoring. In one example, the register 312 may be implemented as 
a flip-flop memory element. In another example, the register 312 
may be implemented as a latch element, a memory cell, a non- 
volatile memory, or a flash memory. However, the register 312 may 
be implemented as another appropriate type device in order to meet 
the criteria of a particular embodiment. Optionally, a device for 
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clearing the register 312 may be included to allow detection of 
subsequent events . 

The resistance block (RLIMIT) 306 may be optionally 
implemented. The current limiting element RLIMIT 3 06 may be 
implemented to protect the transistor 308 from damage. The current 
limiting element RLIMIT 306 may reduce the sensitivity of the 
circuit 300. However, such an implementation may be both 
advantageous (e.g., to avoid tripping on smaller, non-hazardous 
events) and disadvantageous (e.g., difficult to trip on the fault 
causing events) . 

FIG. 3b illustrates a circuit 300' that may be similar to 
the circuit 3 00. The circuit 3 00 ' may be implemented without the 
register 312 (of FIG. 3a) . However, the circuit 300' may implement 
a reset circuit 314. The reset circuit 314 may generate (and/or 
store) a signal (e.g., DEVICE_RESET) . The reset circuit 314 may be 
implemented as a storage type circuit or other appropriate circuit 
to meet the criteria of a particular implementation. FIG. 3c 
illustrates a circuit 300'' that may be similar to the circuits 300 
and 300'. The circuit 300'' may comprise the register 312 and the 
reset circuit 314. The circuit 300 may illustrate an 

implementation of the process 100 (of FIG. la) . The circuit 300' 
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may illustrate an implementation of the process 100' (of FIG. lb) . 
The circuit 300' ' may illustrate an implementation of the process 
100 (of FIG. la) and the process 100' (of FIG. IB) . 

Referring to FIG. 4, a circuit (or system) 400 for 
detecting under-voltages (e.g., excursions beyond a negative 
supply) is shown. The circuit 400 generally comprises a pad 
circuit 402 , a pad 404 a resistance block 406, a transistor 408, a 
resistance block 410 and a register 412. The resistance block 406 
may have a predetermined resistance value (e.g., RLIMIT) . The 
resistance block 410 may have a predetermined resistance value 
(e.g. , RLOAD) . 

The pad circuit 402 may be coupled to the pad 404. The 
pad 404 may be coupled to an external device (not shown) . The pad 
404 may also be coupled to a first side of the resistance block 
(RLIMIT) 406. A second side of the resistance block (RLIMIT) 406 
may be coupled to a drain of the transistor 408. A gate of the 
transistor 408 may be coupled to a ground supply. A source of the 
transistor 408 may be coupled to a first side of the resistance 
block (RLOAD) 410. A second side of the resistance block (RLOAD) 
410 may be coupled to the power supply (e.g., GND) . The resistance 
block (RLOAD) 410 may also be coupled to the register 412. The 
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register 412 may be clocked by the resistance circuit (RLOAD) 410. 
The register 412 may be configured to generate (and/or store) a 
signal (e.g., EVENT_UNDER) . The signal EVENTJJNDER may be 
configured as a fault causing event signal. In one example, the 
signal EVENT_UNDER may be configured as a under-voltage event 
signal. The circuit 400 may operate similarly to the circuit 3 00, 
where the NMOS device 400 may remain off, until an under-voltage 
event sufficiently below ground voltage causes current flow, 
setting the output EVENT_tHSfDER . 

Referring to FIG. 5, a circuit (or system) 500 
illustrating detection of a noise coupling event is shown. A 
stress event, such as ESD, may cause circuit malfunction by 
coupling noise onto a critical node, with or without an 
over/under-voltage. For example, a clock oscillator signal may 
couple noise such that it appears to have additional, unwanted 
transitions. Such a case may lead to circuit failure if a clock 
period becomes insufficiently short for circuit delays to complete 
as needed within each clock cycle. The circuit 500 may implement 
a timing element tuned to an average value of a clock to detect a 
shortened clock pulse. The circuit 500 generally comprises a pad 
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502, a pad 504, an oscillator circuit 506, a tunable delay circuit 
508, a short pulse detect circuit 510 and a register 512. 

The pad 502 and the pad 504 may be coupled to the 
oscillator circuit 506 and an external device (not shown) . For 
5 example, the pad 502 may be coupled to a crystal. The oscillator 
circuit 506 may be configured to generate a signal (e.g., 
O DEVICE_CLOCK) . The signal DEVICE_CLOCK may be presented to the 
p tunable delay circuit 508 and the short pulse detect circuit 510. 

j|j The tunable delay circuit 508 may be configured to present a signal 

HI 

to the short pulse detect circuit 510. The short pulse detect 
W circuit 510 may then present a signal to the register 512 in 

Hi 

^ response to the tunable delay circuit 508 and the signal 
hi DEVICE_CLOCK. The short pulse detect circuit 510 may be configured 
to clock the register 512. The register 512 may generate a signal 
15 (e.g., EVENT_CLOCK) . The signal EVENT_CLOCK may indicate 
additional transitions of the system clock DEVICE_CLOCK. 

Referring to FIG. 6, a circuit (or system) 600 configured 
to detect over- voltage is shown. The circuit 60 0 may be similar to 
the circuit 300. However, the circuit 600 may be implemented using 
20 a differential amplifier. The circuit 600 generally comprises a 
pad circuit 602, a pad 604 a resistance block 606, a transistor 

14 
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608, a resistance block 610, an amplifier 612 and a register 614. 
The resistance block 606 may have a predetermined resistance value 
(e.g., RLIMIT) . The resistance block 610 may have a predetermined 
resistance value (e.g., RLOAD) . 

The pad circuit 602 may be coupled to the pad 604. The 
pad 6 04 may be coupled to an external device (not shown) . The pad 
604 may also be coupled to a first side of the resistance block 
(RLIMIT) 606 and a first input of the amplifier 612. A second side 
of the resistance block (RLIMIT) 606 may be coupled to a source of 
the transistor 608 and a second input of the amplifier 612. A gate 
of the transistor 608 may be coupled to the power supply VCC. A 
drain of the transistor 608 may be coupled to a first side of the 
resistance block (RLOAD) 610. A second side of the resistance 
block (RLOAD) 610 may be coupled to ground. The output of the 
amplifier 612 may be coupled to the register 614. The register 614 
may be clocked by the amplifier 612. The register 612 may be 
configured to generate a signal (e.g., EVENT_OVER) . The signal 
EVENT_OVER may be configured as a fault causing event signal. In 
one example, the signal EVENT_OVER may be configured as an 
over-voltage event signal. 
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Referring to FIG. 7, a circuit (or system) 700 for 
detecting high currents is shown. The circuit 700 may be 
configured to detect and store high current fault conditions. The 
circuit 700 generally comprises a comparator 702 and a register 
704. The comparator 702 may present a signal to the register 704 
in response to a signal (e.g., SUPPLYPTA) and a signal (e.g., 
SUPPLYPTB) . The register 704 may be clocked by the comparator 702. 
The register 704 may be configured to generate (and/or store) a 
signal (e.g., EVENT_HIGHCURRENT) . The comparator 702 may contain 
hysteresis such that when a particular monitoring point (e.g. the 
signal SUPPLYPTA or SUPPLYPTB) is sufficiently higher or lower in 
voltage than another point (e.g., the other signal SUPPLYPTA or 
SUPPLYPTB), the comparator 702 may switch states. 

Hysteresis is the measure for a comparator for which an 
input threshold changes as a function of the input (or output) 
level. More specifically, when the input passes the input 
threshold, the output changes state and the input threshold is 
subsequently reduced so that the input must return beyond the 
initial input threshold before the output of the comparator changes 
state again. 
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By switching states, the comparator 7 02 may indicate a 
possible fault condition. A second comparator (not shown) may also 
be implemented with opposite polarity to detect a power supply 
difference of the opposite polarity from the comparator 702. 

The microcontroller application 2 00 may allow firmware to 
poll the event detect lines as desired to determine if a 
potentially hazardous event has occurred. However, coupling a high 
current to a pin may lead to an over/under- voltage . Therefore, the 
circuits 300, 400, 600 and 700 may be implemented to detect 
over/under-voltage stress as well. 

Alternatively, capacitive coupling may also be configured 
to detect events for a particular fault causing implementation. 
Implementing devices not normally found on integrated circuits may 
enable significant additional options. For example, a zener diode 
may be implemented to detect over-voltages. Such approaches may 
be viable for state-machine type implementations in addition to 
microcontroller implementations. Various known implementations of 
the over/under-voltage detection circuits may be implemented to 
meet the design criteria of a particular implementation. 

The process 100 may detect over-stresses to increase the 
robustness of device operation. The process 100 may allow a device 
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to be either directly reset on a disturbance event, or to be 
monitored and take appropriate recovery action when events occur. 
The process 100 may also provide flexibility in response to stress 
conditions . 

Registering and monitoring the fault causing events may 
enable such an appropriate configuration. For example, a mouse 
user may want to reset completely and start over. A keyboard user 
may want to flush current keyboard buffers, reload default state 
values, and continue. A user of an external flash memory may need 
to check the integrity of previous data writes. In addition, the 
detection capability of the process 100 may allow a device to take 
any appropriate recovery (or reset) action when stress events are 
occurring, or even when such events do not actually cause a device 
failure. For example, a stress event may indicate that 
environmentally harsh conditions are beginning, such that a back-up 
operation may need to be started immediately. 

The process 100 may detect and store stress event 
occurrences. The process may be implemented to detect 

over/under-voltage conditions. The process 100 may enable a 
microcontroller to monitor stress events and respond by taking 
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appropriate action. The process 100 may allow devices to 
incorporate a method that responds to a detected stress event. 

While the invention has been particularly shown and 
described with reference to the preferred embodiments thereof, it 
will be understood by those skilled in the art that various changes 
in form and details may be made without departing from the spirit 
and scope of the invention. 



